arxiv:2008.07958v3 [cs.cr] 19 jul 2021
TRANSCRIPT
[Digital Finance]This is a post-peer-review, pre-copyedit version of this article.The final authenticated version is available online at: https://doi.org/10.1007/s42521-021-00035-5
A Blockchain-based Forensic Model for Financial Crime
Investigation: The Embezzlement Scenario
Lamprini Zarpala1 · Fran Casino2,3
Received: 23 August 2020 / Accepted: 30 June 2021
Abstract The financial crime landscape is evolving along with the digitisation
of financial services. Laws, regulations and forensic methodologies cannot effi-
ciently cope with the growth pace of novel technologies, which translates into
late adoption of measures and legal voids, providing a fruitful landscape for
malicious actors. In this regard, the features offered by blockchain technology,
such as immutability, verifiability, and authentication, enhance the robustness
of financial forensics. This paper provides a taxonomy of the prevalent financial
investigation techniques and a thorough state-of-the-art of blockchain-based
digital forensic approaches. Moreover, we design and implement a forensic in-
Lamprini Zarpala E-mail: [email protected] · Fran Casino E-mail: [email protected]
1 Department of Banking and Financial Management, Piraeus University, Piraeus (Greece)
2 Department of Informatics, Piraeus University, Piraeus (Greece)
3 Athena Research Center, Athens (Greece)
· *All authors equally contributed to this work
arX
iv:2
008.
0795
8v3
[cs
.CR
] 1
9 Ju
l 202
1
2 Lamprini Zarpala, Fran Casino
vestigation framework based on standardised procedures and document the
corresponding methodology for embezzlement scheme investigations. The fea-
sibility and adaptability of our approach can be extended and embrace all
types of fraud investigations and regular internal audits. We provide a func-
tional Ethereum-based implementation, and we integrate standardised foren-
sic flows and chain of custody preservation mechanisms. Finally, we discuss
the challenges of the symbiotic relationship between blockchain and financial
investigations, along with the managerial implication and future research di-
rections.
Keywords Fraud Detection · Blockchain · Chain of Custody · Embezzlement
· Digital Forensics
JEL Classification K42 · K41 · M42 · G21
1 Introduction
The impact of fraud and economic crime on all organizations worldwide still
reaches high-record levels. The most frequently committed fraud scheme is as-
set misappropriation, where an employee is stealing or misusing organizational
resources (Association of Certified Fraud Examiners, 2020b). A provocative
question arising when it comes to fighting fraud is about the deployed tech-
nologies during the investigation.
Blockchain Forensics for Embezzlement Investigation 3
Data acquisition is one of the most critical steps during forensic in-
vestigations. This is interpreted as maintaining a chain of custody for data
and performing data integrity validation to ensure tamper-proofness (Delena
D. Spann, 2014; Gottschalk and Gottschalk, 2018). Advanced analytic tech-
niques, such as machine learning, cognitive computing, and, in general, auto-
mated data processing methods, are some of the trends in forensics1 in the
financial services sector.
In this work, we choose a real-world embezzlement2 scenario and
apply the forensic-by-design architecture of blockchain to validate the audit
trail’s integrity. To uncover embezzlement schemes, investigators have devel-
oped a hypothesis about the sequence of events and applied specific fraud
analytic tools presented in Section (2.1). The results from the data foren-
sics analysis and the other sources of documentation such as hard copies and
CCTV tapes are stored in the audit trail, supporting the hypothesis in poten-
tial litigation proceedings (Association of Certified Fraud Examiners, 2020a;
Guide, 2012; Delena D. Spann, 2014).
The sequence of custody, control, transfer, and disposition of the au-
dit trail of evidence is called chain of custody. The chain of custody indicates
1 Financial forensics is a methodology which combines investigation and auditing skills
to identify evidence for a potentially fraudulent activity that might end up in litigation.
Fraudulent activities might derive either from within or outside the organization.
2 It is the misappropriation of funds that have been entrusted to an employee for care or
management
4 Lamprini Zarpala, Fran Casino
who had access to records and thus the degree of difficulty in manipulation.
It assures that evidence is not damaged or altered in any way since gaps in
the chain may illustrate mishandling of evidence which leads to damaging the
case (Darrell D. Dorrell, 2012). The importance of chain of custody is high-
lighted when the fraud investigator has to perform one of the most challenging
tasks to put financial information in simple terms to be understandable from
decision-makers (senior management, prosecutor, etc.). The collection, exam-
ination, analysis, interpretation, and presentation of digital evidence shapes
investigations are crucial in proving embezzlement cases where digital evidence
is prevalent because the employee under investigation may be well aware of the
bank’s systems, procedures, and control gaps. In this regard, recent work in
the digital forensic community has established reliable scientific methodologies
and common standards in its workflows (Biasiotti et al., 2018; Gobler, 2010).
However, it still faces many challenges due to the volatile and malleable nature
of the evidence and the continuous advances in technology that introduce new
attack vectors (Huang et al., 2018; Casino et al., 2020).
In parallel to the digitization of financial services, blockchain tech-
nology (Nakamoto, 2008) has experienced a wide adoption due to the myriad
of possibilities and applications that it enables (Casino et al., 2019; Crosby
et al., 2016). Setting aside the different categorizations of blockchain in terms
of applications and consensus algorithms (i.e. the methodology to reach an
agreement between the different participants of the blockchain network to val-
idate a transaction), they offer different features, such as auditability, security,
Blockchain Forensics for Embezzlement Investigation 5
decentralization and transparency (Xu et al., 2019; Casino et al., 2019). In
addition, blockchains also provide immutability (Politou et al., 2019; Casino
et al., 2020), which is an interesting feature, yet poses significant challenges to
principles such as the right to be forgotten or the EU General Data Protection
Regulation Directive (GDPR) (Politou et al., 2018).
Blockchain applications in the financial context are already a fact
(Guo and Liang, 2016; Peters and Panayi, 2016; Casino et al., 2019). Never-
theless, blockchain capabilities can also be used maliciously to enable cryp-
tocurrency fraud scams such as investment and ponzi schemes, embezzlement,
phishing, and ransomware (AICPA, 2020). Therefore, investing efforts to pros-
ecute fraud as well as its prevention in both traditional and next generation
systems is mandatory. In this regard, the literature is still scarce in blockchain-
based methods oriented to fraud prevention (Wolverton and Lee, 2019; Joshi
et al., 2019). Promising research lines such as crypto de-anonymization meth-
ods have the potential to enable successful investigations and prosecutions
(ShenTu and Yu, 2015), yet such solutions have many constraints, as well as
not being feasible in cryptocurrencies such as Monero.
Based on the above requirements, it is apparent that the blockchain
features may enhance forensic procedures (Al-Khateeb et al., 2019). For in-
stance, the immutability of blockchain can guarantee the verifiability of the
chain of custody of evidences and provide an auditable trail of events. The
latter is mandatory to be presented as a solid proof in a courtroom.
6 Lamprini Zarpala, Fran Casino
1.1 Motivation and Contribution
The amount of cyber challenges faced by the financial sector requires cooper-
ation between different entities and actors both at national and international
levels. In this regard, several cybersecurity initiatives in the finance sector
are being pushed by organizations such as ENISA (Naydenov and Theochari-
dou, 2021) to establish a standard and fertile ground in such a critical sector.
Therefore, the work presented in this paper contributes to reinforcing key di-
mensions such as information sharing and capacity building, awareness and
training, standardization and certification, and research and innovation.
In this paper, we address the relevance of blockchain technology and
its inherent features for the management of evidence in forensic investiga-
tions. We are concerned with a case study that occurs within a financial in-
stitution. This type of fraud is also known as bank fraud. According to the
Basel Committee on Banking Supervision, there are different kinds of fraud:
internal/occupational frauds or external frauds. In this context, we will ex-
amine occupation fraud as an embezzlement scheme for unauthorised with-
drawals. The detection method used is a review of the source documentation
that might confirm or refute the allegation of embezzlement. In addition, we
provide a taxonomy of the financial investigation techniques, and comprehen-
sive overview of the state of the art in blockchain forensics, and we propose a
blockchain-based architecture for embezzlement’ fraudulent activities enabling
sound preservation of the chain of custody. This architecture and the forensic
Blockchain Forensics for Embezzlement Investigation 7
flows are implemented according to well-known standards and guidelines, such
as the ones described in Section 3.3. Moreover, we provide an implementation
based on Ethereum and smart contracts to preserve the chain of custody as
well as the trail of events. Overall, our solution enables various features and
benefits, such as integrity verification, tamper-proof, and future enhancement
of similar investigations. Therefore, approaches such as the one proposed in
this work aim to close the gap between the technicalities of financial investi-
gations and legal procedures, enhancing the robustness of the current state of
practice. In addition, we discuss several measures to improve the adaptabil-
ity of our system towards similar crimes, and we provide a fertile ground for
further research.
To the best of our knowledge, this is the first work that provides a
blockchain-based forensic sound procedure for embezzlement and an imple-
mentation based on smart contracts. Even though we use the embezzlement
scenario to illustrate the forensic procedure, our high-level architecture can be
extended in all fraud investigations and also in regular internal audits.
2 Related works
2.1 Financial Investigation Techniques
We analysed the state of the art of financial investigation techniques and tools
and leveraged a taxonomy of the different families of methods that can be used
8 Lamprini Zarpala, Fran Casino
according to the elements and actors under investigation. Figure 1 provides
an overview of the taxonomy and the most relevant techniques related to the
effective design of fraud detection.
Fraud-related technical literature incorporates in the design of de-
tective controls the importance of red flags for perpetrator’s behaviour, which
can validate the predictive theory (Gullkvist and Jokipii, 2013). In the embez-
zlement case, and in asset misappropriation in general, the detective controls
rotate around employee’s financial status, consumption habits, egocentric be-
haviour analysis, performance evaluation, adherence to vacation policies, job
dissatisfaction (Singleton and Singleton, 2010).
To detect deviations and specific behaviour in documents and so-
cial networks (Yoo and Gretzel, 2009), fraud investigators use techniques of
sentiment analysis (Goel and Uzuner, 2016) augmented with graph analysis
(Pourhabibi et al., 2020) to discover the degree of connectivity between indi-
viduals. Graph analysis is also used to evaluate the performance of a small
subset of transactions and to identify the accounts involved in a cross-channel
transaction. The latter cannot be identified with classical statistical source-
account profiling (Molloy et al., 2017).
The visual analysis category mainly refers to the graphical repre-
sentation of numerical and categorical data, usually in form of diagrams or
plots (e.g. bar, radial, box plots, heat maps), and 3D visualizations. This is
a well-known approach for fraud detection used by investigators to speed up
Blockchain Forensics for Embezzlement Investigation 9
manual analysis of data since this approach enhances its readability (Leite
et al., 2018). An essential aspect of visual analysis is the interaction of such
systems, letting investigators select, explore, and filter the visualized data.
Statistical and data analytics are leveraged with an extensive set
of techniques (Kobayashi et al., 2011; Banarescu, 2015) which aim to detect
anomalies in data. These anomalies could indicate customers’ abnormal behav-
ior (e.g frequency and amount of regular transactions, changes in geography,
and outlier detection) (Cliff and Wall-Parker, 2017; Ngai et al., 2011).
Artificial intelligence is widely used in the finance field to detect fraud
schemes such as embezzlement (Choi and Lee, 2018; Awoyemi et al., 2017).
One of the main approaches is leveraging pattern recognition by using ma-
chine learning techniques (both supervised and unsupervised) to classify data
according to some criteria (e.g., identify multiple transactions at a customers’
account in quick succession) (Sadgali et al., 2019) and to predict the occur-
rence of fraud through the use of neural networks, Bayesian learning, decision
trees and association rules (Cerullo and Cerullo, 1999a,b). Similarly, clustering
algorithms are used to explore how data are related and find further insights.
Other approaches also include rule-based expert systems and process mining
models which can extract and detect further data patterns (Omair and Alturki,
2020).
Finally, in parallel to the aforementioned techniques, text analysis
is another relevant source of evidence. Due to the modus operandi of the
10 Lamprini Zarpala, Fran Casino
malicious actors, the use of natural language processing to detect authorship
of documents (De Vel et al., 2001; Green and Sheppard, 2013), including the
use of specific keywords to tag specific transactions or operations, can help
in the detection of embezzlement (Markowitz and Hancock, 2014). Moreover,
automated systems to detect forged documents and signatures (Gideon et al.,
2018) are critical in this context.
Fig. 1: Mindmap abstraction of the different families of tools that enable fi-
nancial investigation.
Blockchain Forensics for Embezzlement Investigation 11
For our analysis, we reviewed prior researches related to embezzle-
ment schemes from the finance-related literature. Nevertheless, the existing
literature gives little attention to the embezzlement schemes performed within
financial institutions. Embezzlement schemes are more likely to be realised in
situations when either the separation of duties or the relevant audit trails are
weak or nonexistent. One of the most common types of banking fraud is the
unauthorized withdrawals from customer accounts (Association of Certified
Fraud Examiners, 2020a) and may take various forms. For instance, it could
be stealing money from customers by providing encoded deposit slips (Man-
ning, 2011) or borrowing from today’s account’s receivable and replace them
with tomorrow’s receipts. In all cases, a scheme to be successful requires the
creation of false data, reports, or data entries (Bologna, 1995). The aforemen-
tioned tools and techniques can be applied to detect embezzlement schemes.
Yet, one of the main challenges in the financial sector is accommodating such
solutions to each organization’s systems. Moreover, as stated in Section 1.1,
there are several challenges in terms of interoperability, training, policies and
regulations, and standardization, that prevent the creation of common frame-
works to exploit the full potential of such techniques.
12 Lamprini Zarpala, Fran Casino
2.2 Blockchain Forensics
Despite the suitability of blockchain towards preserving a trail of events in
an immutable and verifiable manner, only recently authors have started to
explore it.
In order to retrieve the relevant literature in blockchain, we queried
the Scopus database by using the keywords “blockchain” and “forensics”, and
we located further studies by means of the snowball effect (i.e. additional
literature referenced by the articles found in the initial search). In total, 28
articles were selected according to a specific criteria (i.e. we peer-reviewed and
excluded some papers based on their structural quality, language, and subject
area). Next, we performed a keyword-based and topic classification, depicted in
Figure 2. Therefore, we identified eight different blockchain forensic application
topics which span from 2018 to June 2020, being the most populated the ones
related with data management, IoT, and cloud.
In the context of cloud forensics, a framework to enable fast incident
response was proposed in Ricci et al. (2019). In Zhang et al. (2018), the authors
created a collaboration and evidence management framework to improve the
coordination of investigations when different stakeholders are involved. In the
case of Rane and Dixit (2019) and Duy et al. (2019), authors focused in logging-
as-a-service tools for securely storing and processing logs while coping with
issues of multi-stakeholder collusion, and the integrity and confidentiality of
Blockchain Forensics for Embezzlement Investigation 13
Fig. 2: Summary of blockchain forensic topics and the number of publications
per year.
logs. In this context, security and robust access mechanisms are mandatory,
as discussed in Pourvahab and Ekbatanifard (2019).
The works classified in data management topic present different mod-
els for data processing based on scalable solutions such as permissioned blockchains
(Gopalan et al., 2019; Lone and Mir, 2019; Xiong and Du, 2019) and blockchains
using lightweight consensus mechanisms (Tian et al., 2019). Other relevant fea-
tures showcased by authors are the verifiability of the trail of events (Weilbach
and Motara, 2019; Bonomi et al., 2020) and the classification of the evidence
in terms of features, enabling further data processing (Billard, 2018).
The evidence collected from IoT devices and the interactions between
different stakeholders are one of the main features studied in the literature
(Brotsis et al., 2019; Hossain et al., 2018; Ryu et al., 2019; Li et al., 2019).
14 Lamprini Zarpala, Fran Casino
In addition, privacy-preserving identity management (Le et al., 2018) is a
mandatory feature to be considered in such context.
The blockchain-based mobile forensic research focuses on applications
and malware detection. In this regard, authors propose the use of consortium
blockchains to detect malware and based on statistical analysis of each appli-
cation’s feature (Gu et al., 2018; Homayoun et al., 2019).
The multimedia forensic topic includes works related with processing
and storing CCTV video evidence (Kerr et al., 2018), the multimedia evi-
dence captured by smartphones (Samanta and Jain, 2018) and image-based
provenance and integrity (Zou et al., 2019).
In the healthcare context, the work presented in Malamas et al.
(2019) proposes a blockchain-enabled authorization framework for managing
both the Internet of Medical Things (IoMT) devices and healthcare stakehold-
ers. Smart grid forensics and its relevance is discussed in Kotsiuba et al. (2018).
Moreover, the authors showcase the benefits of blockchain towards enhancing
energy optimization, security and managerial tasks.
Transportation forensics has captured the interest of researchers due
to its timely relevance due to its seamless relationship with emerging tech-
nologies such as self-driving automation, IoT-based sensing, and 5G commu-
nication networks (Patsakis et al., 2019). Nevertheless, such novel frameworks
and the adoption of new data privacy frameworks (like the GDPR) call for the
Blockchain Forensics for Embezzlement Investigation 15
development of sound forensic mechanisms to analyze traffic accidents and
protect users’ sensitive data. For instance, in Billard and Bartolomei (2019),
the author proposes a system to manage user’s requests and their compliance
with legal frameworks.
A privacy-preserving framework is also proposed in Kevin and David
(2019), this time for managing sensitive navigation data while ensuring user’s
anonymity. In Cebe et al. (2018), the authors propose a blockchain-based foren-
sics system that enables traceable and privacy-aware post-accident analysis
with minimal requirements in storage and processing. In Patsakis et al. (2019)
a blockchain-based framework is proposed for keeping logs of all hardware
profile changes and updates in a vehicle.
Finally, we analysed the maturity of the literature according to their
development stage in Table 1. In general, we may observe that the majority
of solutions are in an early stage and thus, more efforts need to be devoted to
this research field to exploit all the potential of blockchain. A more detailed
exploration of the blockchain forensics literature can be found in Dasaklis et al.
(2020)
2.3 Forensic Models
Despite that one of the main issues in the digital forensics research field is the
standardisation of procedures according to each topic or context (Garfinkel,
16 Lamprini Zarpala, Fran Casino
Table 1: Maturity of blockchain-based forensics literature.
Implementation & Tests Partial Implementation Not Provided
Rane and Dixit (2019) Li et al. (2019) Ricci et al. (2019)Gopalan et al. (2019)
Duy et al. (2019) Gu et al. (2018) Billard (2018) Hossain et al. (2018)
Tian et al. (2019) Bonomi et al. (2020) Ryu et al. (2019) Brotsis et al. (2019) Billard and Bartolomei (2019)
Zhang et al. (2018) Patsakis et al. (2019) Kevin and David (2019)
Samanta and Jain (2018) Kotsiuba et al. (2018) Cebe et al. (2018)
Pourvahab and Ekbatanifard (2019) Weilbach and Motara (2019)
Malamas et al. (2019) Zou et al. (2019) Xiong and Du (2019)
Kerr et al. (2018) Lone and Mir (2019) Le et al. (2018) Homayoun et al. (2019)
2010), there exist several well-known forensic guidelines and models (Kyei
et al., 2013; Kent et al., 2006; INTERPOL, 2019), which are summarised
in Table 2. Moreover, a review of the international development of forensic
standards, such as ISO/IEC 27043:2015, can be found in Wilson-Wilde (2018)
and Antwi-Boasiako and Venter (2017).
Table 2: Most well-known forensic models and guidelines.
Name Year Reference
Digital Forensic Investigation Model 2001 Kruse and Heiser (2001)
Digital Forensic Research Workshop 2001 Palmer et al. (2001)
Abstract Digital Forensic Model 2002 Reith et al. (2002)
Integrated Digital Investigation Model 2004 Carrier and Spafford (2003)
Enhanced Digital Investigation Process Model 2004 Baryamureeba and Tushabe (2004)
Extended Model of Cybercrime Investigation 2004 Ciardhuain (2004)
NIST Guide to Integrating Forensic Techniques into Incident Response 2006 Kent et al. (2006)
Digital Forensic Model for Digital Forensic Investigation 2011 Ademu et al. (2011)
International Organization for Standardization ISO/IEC 27043:2015 2015 ISO (2015)
INTERPOL Guidelines for Digital Forensics Laboratories 2019 INTERPOL (2019)
ENFSI Guidelines 2016-2020 European Network of Forensic Science Institutes (2020)
In general, the procedures summarised in Table 2 have a common
hierarchical structure, which can be divided in the steps described in Table 3.
Blockchain Forensics for Embezzlement Investigation 17
Note that, evidence custody changes as well as evidence destruction are two
relevant steps that, although not mapped in the high level description provided
in Table 3, are included in our system implementation.
Table 3: Main steps in a digital forensic investigation model.
Forensic Step Description
Identification Assess the purpose and context of the investigation. Initialize and allocate
the resources required for the investigation, such as policies, procedures
and personnel.
Collection & Acquisition The seizure, storage and preservation of digital evidence. Although this
two steps need to be strictly differentiated in the physical forensics con-
text, we consider a more relaxed approach in the digital context, since
most of times data will be directly collected in a digital form.
Analysis The identification of tools and methods to process the evidence and the
analysis of the outcomes obtained
Reporting & Discovery The proper presentation of the reports and information obtained during
the investigation to be disclosed or shared with the corresponding entities.
3 Method
In the following sections, we will describe the case study and the actors in-
volved, our blockchain-based forensic architecture, and the forensic methodol-
ogy applied to such case.
18 Lamprini Zarpala, Fran Casino
3.1 A case study for an embezzlement scheme.
Let Malory be a malicious bank employee who worked at Golden Bank in
Albany, Oregon for 15 years. In addition, Malory was promoted to the Head
Teller position in the Central Branch five years ago. He was living beyond
means; driving a expensive car and being the owner of an expensive home. As
he was working for many years in the same branch, he had developed a good
relationship with affluent clients of the branch that where living abroad.
Within such period, the Branch Manager received an oral complaint
by the client Alice, who was contesting the balance recorded in the passbook of
his saving account. The Branch Manager tried to trail the vouchers of his last
transactions but were missing from the physical record. The responsibility
of the missing vouchers lied to Malory. The Branch manager, informed the
Internal Audit Department of the bank to investigate the case.
The investigation’s result was that Malory had embezzled 500,000
US$ from a network of 10 clients with similar profile characteristics to Al-
ice (elderly customers living abroad). These clients were served in the branch
that Malory was a Head teller. Malory tap into customers’ saving accounts
to wire funds without authorization for 5 years and proceeded unauthorized
withdrawals. Malory used the cancel transaction field as a markdown for the
embezzled money on each account, so as to keep track what needs to be re-
turned to each account before the client appeared in the branch.
Blockchain Forensics for Embezzlement Investigation 19
Figure 3 presents part of Malory’s scheme for a selected sample of
three clients. In this case, Malory has embezzled a total amount of 300 $ by
performing unauthorized transactions among clients disrespecting the bank’s
procedures. The next paragraphs describe explicitly three days where Malory
acted on behalf of clients and for his own interest.
Fig. 3: A case study for an embezzlement scheme.
In Day 1, Malory being alone in the cash desk of the bank’s branch
performed an unauthorised cash withdrawal of 700 $ from the banking account
of Alice. A minute after he performs an unauthorised cash deposit in the
banking account of Bob. From these two transactions he puts 200$ in his
wallet from the cash difference in the bank’s ledger. The only evidence from
this irregular behaviour is tracked in the CCTV surveillance system, since the
20 Lamprini Zarpala, Fran Casino
physical vouchers linked to unauthorised transactions are lost. At this point
of time, Alice has a debit balance of 700 $ and Bod a credit balance of 500 $.
Next, in Day 2, Malory performs an unauthorised cash withdrawal
of 500$ from the banking account of Bob, and credits Claire’s saving account
with an equal amount. At the end of the day, Bob’s balance becomes zero while
Claire’s balance is credited with 500 $. Similar to Day 1, the only evidence
from this irregular behaviour is tracked in the CCTV surveillance system.
A day later, Malory performs an unauthorised withdrawal from the
account of Claire of 400$ and deposits back to client Alice an amount of 300$
keeping for himself 100$. At this point Claire’s account has a credit balance
of 100$ and Alice’s account has a debit balance of 400$. Same as above, no
voucher bears clients’ signatures and the only evidence that can track his
irregular behaviour is the daily CCTV recording.
3.2 Actors Involved
The main actors involved during the investigation of the above embezzlement
scheme are presented in figure 4. Now, we will describe how each actor is
involved in the chain of custody.
Firstly, the branch archived the written complain of the client con-
testing the balance recorded in the passbook of his saving account. It was also
Blockchain Forensics for Embezzlement Investigation 21
Fig. 4: Actors involved in the embezzlement scheme.
responsible for the archiving of original vouchers related to the transactions
signed by each customer and for the historic record of CCTV material.
The Internal Audit received the written declaration of the complaint
through the internal mail of the bank and e-mail communication. Original hard
copies of the complaint are stored in a separate physical folder linked to Mal-
ory’s case. The physical folder is scanned at the end of the case and archived in
a shared folder with authorized accesses. This folder also includes hard copies
linked to the fraud hypothesis (CCTV files, original vouchers, signatures’ spec-
imen etc), the signed testimony 3 of Maroly . The signed report released with
3 The testimony is recorded as a written agreement between Malory and two investigators
(signed by each of them).
22 Lamprini Zarpala, Fran Casino
investigation results 4. Digital documentation from detective tools mentioned
in 2.1 is archived in the local server of the department, and only authorized
users may have access. For the investigation’s purposes, the Internal Audit in-
teracts with the bank’s IT department, Surveillance Department, the Branch,
and Human Resources (HR) Department.
IT Department assists Internal Audit by providing data from the
database of core banking system. The data are sent via e-mail usually as an
excel file concerning transactions and daily journal of entries of Malory. Also,
when Internal Audit needs to trace additional CCTV files, it collaborates with
Surveillance Department. The latter delivers any CCTV files upon request
through USB. Each employee has a physical record with personal informa-
tion archived in HR Department. This information distributed to investigators
through emails. Also, it is responsible for the archiving of disciplinary board’s
proceedings.
When the investigation’s report is issued, Senior Management re-
ceives it. Its role is to decide and approve any disciplinary and litigation ac-
tions. Decisions and approvals are documented and archived. If the decision
involves litigation actions then Legal Department undergoes the submission to
a prosecuting authority.
4 A hard copy of the report is distributed internally to Senior management, HR depart-
ment, and legal department (i.e., these actors are defined later in this section). The recipients
sign a mail record which is then archived in the physical folder of the case.
Blockchain Forensics for Embezzlement Investigation 23
At last, the Prosecutor receives a structured package including the
disciplinary board’s decision, the findings’ report and a copy of physical evi-
dence and proceeds to further legal actions.
3.3 Forensic Procedure
In the case of chain of custody and trail of events preservation, we need to
ensure that our system enables features such as integrity, traceability, authen-
tication, verifiability and security (Bonomi et al., 2020; Tian et al., 2019).
In this regard, Table 4 provides a description of each feature and how our
blockchain-based system enables it.
Table 4: Main features required to guarantee chain of custody preservation.
Feature Description
Integrity The events data as well as evidences cannot be altered or corrupted during
the transferring and during analysis due to the use of hashes.
Traceability The events and evidences can be traced from their creation till their
destruction since every interaction is stored in an immutable ledger.
Authentication All the actors and entities are unique and provide an irrefutable proof of
identity due to the use of asymmetric cryptography.
Non-repudiation Each action can be related with its author, enabling strong accountability
guarantees.
Verifiability The transactions and interactions can be verified by the corresponding
actors. This verification can be performed in real time.
Security Only actors with clearance can add content or access to it. A robust
underlying consensus mechanism ensures that the transactions are signed
in a cryptographically secure way.
24 Lamprini Zarpala, Fran Casino
In addition, Figure 5 summarises the main tasks performed in each
investigation phase according to our case scenario, and their corresponding
relationship with the forensic flow. We included the process defined in ISO
27043:2015 (ISO, 2015), as well as each step defined in the guidelines to plan
and prepare for incident response (ISO/IEC 27035-2:2016 (International Orga-
nization for Standardization, 2016)), the guidelines for the identification, col-
lection, acquisition and preservation of digital evidence (ISO/IEC 27037:2012
(International Organization for Standardization, 2012)) and the guidelines for
interpretation and analysis of digital evidence (ISO/IEC 27042:2015 (Inter-
national Organization for Standardization, 2015)). Therefore, we mapped the
different steps of the investigation as defined in our method. Note that we
included the prevention layer in our design, which details will be later dis-
cussed in Section 5. Therefore, after reporting the incident and initiating the
investigation, the evidence collection and forensic analysis is summarised in
following steps:
1. Collection and analysis of the investigated accounts (including saving ac-
counts of clients and their correlation with employees’ accounts).
2. Analysis of the daily transactions recorded in the journal of entries of
Malory (i.e. extractions from core banking system).
3. Reconcile the time of transactions appearing in the journal entry with the
CCTV time.
4. Review of CCTV files in order to trace the physical presence of the client
and the suspect.
Blockchain Forensics for Embezzlement Investigation 25
5. Collection of the testimony of the suspect(s) in signed hardcopy.
Fig. 5: Embezzlement Forensic investigation main phases according to stan-
dardised procedures (top) and the corresponding actions performed in our case
study (bottom).
For an investigation to be sound, all the forensic steps need to be
provable and, in the case of evidence analysis, results need to be reproducible.
In the case of internal audits, a malicious investigator could tamper evidence
or the analysis performed on data to hide proofs. Therefore, a robust forensic
procedure is required to guarantee that evidence is collected in a sound manner
and it is not tampered during the analysis. Moreover, each forensic action
has to be paired with an individual. The aforementioned requirements can be
accomplished by means of the blockchain-based forensic architecture described
in the next section.
26 Lamprini Zarpala, Fran Casino
3.4 Blockchain-based Forensic Architecture
In this section, we describe our blockchain-based forensic architecture. In our
setup, we assume that the system is implemented in the context of a secure
laboratory/investigation facility according to a set of policies and regulations.
Note that, since each region and country may apply different policies, we
leave their definition and discussion as a future research line. Nevertheless, our
system can accommodate more functionalities in the smart contract definition,
as well as higher layer control systems and application programming interfaces
(API)s.
Considering the previously stated forensic flows and the characteris-
tics of the embezzlement scenario, the architecture of our method is depicted
in Figure 6. Different policies and regulations will be applied at each level
identified in Figure 5, so that, e.g. the identity management, including roles
and permissions, will be defined by the corresponding authorities according
to each jurisdiction. Moreover, the forensic guidelines and standards, as well
as the underlying blockchain technology to be used and the definition of the
smart contracts are also tied to the same principle.
The first step involves the case creation. In this regard, a case can
be registered due to a citizen’s testimony (we include in this definition any
individual that wants to report a crime) or directly by a prosecutor (or an
investigator with enough clearance to open a case) who observed suspicious
Blockchain Forensics for Embezzlement Investigation 27
Fig. 6: Overview of the different levels of the system.
behaviour. Next, evidences are collected and analysed by using the appropri-
ate forensic tools. The description of each action (e.g. storing an evidence and
analysing an evidence) may have a description file associated with JSON or
CSV format, to ease further searches and classifications. We assume that se-
cure and private storage is used to preserve the evidences, but other platforms
such as cloud-based storage or decentralized storage systems such as the Inter-
Planetary File System (IPFS) (Benet, 2014) can be used if data are properly
protected/encrypted (i.e. following the definitions set out in information se-
curity standards like ISO/IEC 27001 (Ganji et al., 2019) or other national
IT-security guidelines). More concretely, depending on the approach selected
by the investigators, the hashes of the evidence can point to an IPFS address
or record the SHA-256 hash of the evidence, the latter being the prevalent
method in most threat intelligence platforms, such as Virustotal5 or Malware-
Bazaar6. Therefore, our proposed system enables the extraction of the hashes
5 https://www.virustotal.com/
6 https://bazaar.abuse.ch/
28 Lamprini Zarpala, Fran Casino
of an investigation via a set of smart contract functions, as later described in
Section 4, enabling investigators to use such intelligence services (e.g. by using
their APIs to upload the evidence or by a hash query) to retrieve additional
intelligence. Despite its practicality, an automated methodology to integrate
a query system for each intelligence platform requires different configurations
and is left to future work.
Finally, when the investigation concludes, all the data can be col-
lected and presented in court.
The aforementioned interactions are mapped into a smart contract
and therefore stored permanently in the blockchain. The latter guarantees the
verifiability of the investigation due to the blockchain’s immutability, as well
as the preservation of the chain of custody, as mentioned early in Table 4.
Therefore, the investigation can be audited to certify that any evidence was
tampered during the investigation, guaranteeing the soundness of the different
forensic procedures. In addition, our approach is designed to be accommodated
and in other digital investigation contexts apart from embezzlement, enhancing
its adaptability to internal audits.
Concerning the identity management scheme, we argue that due to
each organisation’s specific regulatory requirements and policies, which may
entail further definitions, agreements and developments, the definition of such
scheme falls out of the scope of this paper. Therefore, we consider the iden-
tity management module as a black box in our architecture to apply stan-
Blockchain Forensics for Embezzlement Investigation 29
dard and validated mechanisms. For instance, further than the MetaMask
7 web3 plugin used in our testing setup to manage the wallets and operat-
ing the smart contracts through our web interface, other blockchain-based
identity management systems could be applied in this layer. Blockchain cir-
cumvents the boundary-based digital identity problem by delivering a secure
solution without the need for a trusted, central authority managing access
permissions through smart contracts. Since blockchain is considered one of
the main enablers of self-sovereign identities, alongside with verifiable cre-
dentials and decentralised identifiers, there are multiple examples of privacy-
preserving blockchain-based identity management systems and already func-
tional projects (Jacobovitz, 2016; Dunphy and Petitcolas, 2018; Zhu and Badr,
2018) that could be adopted for our forensic platform. In this regard, some
approaches enabling multi-authority attribute-based access control with smart
contracts have been presented in the literature (Guo et al., 2019a,b), as well as
approaches implementing multi-blockchain approaches for fine-grained access
control (Malamas et al., 2020). In addition, FIDO-based authentication mech-
anisms could also be used to enable higher security standards (Morii et al.,
2017; Lyastani et al., 2020), including biometric access control, criptographi-
cally secure credentials, and passwordless authentication.
7 http://metamask.io/
30 Lamprini Zarpala, Fran Casino
4 Experiments and Integration Details
The interactions between the different actors of the system and the forensic
events have been implemented by means of a smart contract, and different tests
have been performed in a local private blockchain to showcase the feasibility
and performance of the proposed method. More specifically, an Ethereum-
based blockchain using node8 and ganache-cli9 was created, and truffle10
was used to code and deploy a fully functional smart contract. Moreover, a
graphical interface was developed in order to query and insert information
stored in the blockchain by using node package manager npm 11, which also
retrieves the corresponding hash of the directory of a specific investigation
and its link to the IPFS (Benet, 2014), along with other detailed information.
Therefore, the information of a specific investigation (or a set of them) is
graphically depicted for the user, as well as the option to store a new event,
as seen in Figures 7 and 8, respectively.
We have selected Ethereum due to its robust consensus mechanism as
well as its smart contract framework (i.e. we use solidity 0.5.0, which prevents
vulnerabilities such as uninitialized storage pointer and erroneous visibility).
For more information about the security of Ethereum and its smart contract
8 https://nodejs.org/
9 https://github.com/trufflesuite/ganache-cli
10 http://truffleframework.com
11 https://nodejs.org/en/knowledge/getting-started/npm/what-is-npm/
Blockchain Forensics for Embezzlement Investigation 31
Fig. 7: Example of the outcome of a query by searching all cases and their
corresponding IPFS links.
Fig. 8: A detail of the form user to insert a new event to the system.
framework, we refer the interested reader to Xiao et al. (2020) and Chen et al.
(2019), respectively.
For the sake of completeness, a detailed description of the functions
implemented in the smart contract is provided in Table 5. As an additional
32 Lamprini Zarpala, Fran Casino
feature, every time the information of the smart contract is updated, a trigger
function is called, which can be used as an alert. Therefore, the investigators
will be able to check in real time the information about a given investiga-
tion using the get/retrieve functions implemented in the smart contract for
verification or managerial purposes.
Table 5: Main characteristics and permissions of the functions implemented in
the smart contract.The permissions column states which functions are public
(P) or restricted (R) only for specific users related to a case.
Code Function Input Output Permissions Description
f1 constructor void na na creates the smart contract
f2 addCase String name, String description, String
responsible, String globalID, times-
tamp, hash
void R adds a new case to the system
f3 updateCaseDescription Uint caseID, string description void R updates a case description
f4 updateCaseStatus Uint caseID, string status void R updates a case status
f5 updateResponsible Uint caseID, address responsible void R updates a the responsible of a case
f6 addInvestigatorCase Uint caseID, address investigator void R adds a new investigator to a case
f7 getNumberOfCases void Uint P returns the global number of cases
f8 getCase Uint caseID Object P returns a case object and its informa-
tion
f9 getCaseGlobalID Uint caseID String P returns the global ID of a case
f10 getNumberofInvestigators Uint caseID Uint P returns the number of investigators
asigned to a case
f11 getCaseHash Uint caseID hash P returns the hash pointer with informa-
tion of a case
f12 addEvent Uint caseID, string type, String descrip-
tion, String status, hash, timestamp
void R adds a new event to a case
f13 updateEventStatus Uint eventID, string status void R updates an event/evidence status
f14 getNumberOfEventsCase Uint caseID Uint P returns the number of events of a case
f15 getEventsCase Uint caseID Object P returns the set of events related to a
case
f16 getGlobalNumberOfEvents void Unit P returns global number of registered
events
f17 getEvent Uint eventID Object P returns an event object
f18 getEventHash Uint eventID Hash P returns the hash of a specific event
f19 triggers void void P trigger functions to update the status
of the smart contract
Blockchain Forensics for Embezzlement Investigation 33
A link between the smart contract’s functions and the forensic pro-
cedures is summarised in Table 6. In the case of custody change procedures,
the involved actors will be stored in the corresponding list of owners of the
evidence along with a timestamp. Moreover, a new event can be created with
an evidence pointing to the same hash, yet with a new creation date to grasp
the import of such evidence. In the case of the destruction of an evidence,
this procedure will change the status of the evidence to deleted. In the latter
case, the deletion of a file in a local storage is an easy task, yet the complete
erasure of the content in e.g. IPFS can only be made feasible through novel
mechanisms (Politou et al., 2020), since IPFS does not implement an erasure
protocol at the time of writing (Allen et al., 2020; Casino et al., 2020). In the
case of blockchain, the problem is exacerbated due to its inherent immutabil-
ity (Politou et al., 2018; Politou et al., 2019; Deuber et al., 2019), and the
best solution is to minimise the direct storage of data (i.e. only pointers and
hashes).
Table 6: Relationship between smart contract functions and forensic proce-
dures.
Forensic embezzlement procedure Code
Register new case f1, f2, f3
Evidence management f12, f13
Evidence analysis f8, f11, f12, f17, f18
Analysis & Report f8, f9, f10, f11, f14, f15, f18
Admin & Statistics f4, f13, f5, f6, f7, f9, f10, f14, f15, f14, f17, f19
34 Lamprini Zarpala, Fran Casino
In addition to the benefits enabled by the smart contracts, it is es-
sential to guarantee the privacy of the transactions and the involved actors.
Therefore, the contents can be modified only by participants with specific roles
(each function is implemented with concrete permissions, e.g. using the require
clause of solidity and variables such as msg:sender to check account authen-
ticity), thus enabling secure access control. For example, prosecutors will be
able to open and close investigations, but investigators will be able only to
add new events to a specific investigation. In our setup, read-only functions
and variables can be checked by public users. Nevertheless, more sophisticated
access control, policies and data protection measures can be implemented by
the users of the platform according to their specific needs.
The transactions tested in the developed private blockchain (e.g. de-
ployment of the smart contract, adding a new case and adding a new event)
are performed in the order of milliseconds, and thus, our approach enables
real-time interactions. The implementations as well as the graphical interface
web service are available on GitHub12.
5 Discussion
In this section, we discuss both the benefits and the challenges to be over-
come in the blockchain digital forensics field. Moreover, we provide a granular
12 https://github.com/francasino/financial_forensics
Blockchain Forensics for Embezzlement Investigation 35
analysis of such challenges across the different topics explored in this work,
namely, digital forensics, blockchain, and finance related crimes.
Table 7: Prevention mechanisms and their corresponding application level.
Mechanism Level affected
Training on anti-fraud and appropriate behavioural conduct Workers
Efficient networking and communication strategies All
Transparent managerial practices Executives
Risk assessment to both internal and external fraud All
Integration of security and AI experts in the organization charts Workers
Audit controls and appropriate resources All
According to the challenges extracted from our literature review, we
identified several mechanisms that could be used to prevent/minimise financial
fraud in institutions and their corresponding context of application in Table 7.
As it can be observed, training on anti-fraud and incorporating higher security
standards are necessary to help employees in their daily activities. In addition,
executive personnel should implement more comprehensive and transparent
managerial practices to avoid the possibility of obscure and unethical activ-
ities. Finally, communication, networking and risk assessment are crucial to
improving the information flows between all the actors involved.
Blockchain and its benefits to a myriad of application scenarios have
been thoroughly discussed in the past (Casino et al., 2019; Kuo et al., 2017;
Ølnes et al., 2017; Zheng et al., 2018). Features such as immutability, veri-
fiability, auditability, security were enhanced by the automation provided by
36 Lamprini Zarpala, Fran Casino
smart contracts. For example, the existence of an event at an specific time (e.g.
the existence of a file, a good, a token or any kind of asset) can be verified
in a matter of milliseconds, due to the self-executing capabilities and the real
time synchronization of the information in the blockchain. The latter enables
proof-of-existence when paired with the use of hashes, which can be used to
guarantee the trail of events as well as the proper preservation of the chain of
custody in the digital forensics context.
In addition, the benefits go further beyond the provision of a solid
proof in court, since the knowledge an evidence gathered in a case can be
correlated in the future to reduce the time required to find a vulnerability or
speed up cybercrime investigations. This is particularly relevant in the finance
context, where all background and identification information can be stored. For
instance, the Know your Customer (KYC) can be processed easier and faster
during investigations and be secured against any internal fraudulent activities.
On top of that, the application of smart contracts could prevent efforts for
forgery and counterfeit documents. Therefore, the use of blockchain and its
data mining capabilities will foster collaboration between different entities to
share information and enable the early detection of embezzlement schemes.
Moreover, evidences and reports can provide valuable input for the elaboration
of AI models with which increase the rate of embezzlement detection, since
embezzlement schemes sometimes last for more than 5 years.
Blockchain Forensics for Embezzlement Investigation 37
As discussed in (Chang et al., 2020), the authors identified several
critical success factors for adopting blockchain technology in the finance sec-
tor. In general, robust and efficient blockchain implementations are critical to
guarantee the required infrastructure to leverage financial services. The latter,
paired with well-trained teams and robust security and privacy guarantees,
will close the gap for the adoption of blockchain in finance. Other crucial as-
pects are reputation and community building and mechanisms to guarantee
upgraded, long-term products and services. Another relevant aspect that hin-
ders blockchain adoption is the lack of global regulations (Ali et al., 2020),
due to highly regulated industries paired with complex jurisdictional and legal
frameworks. In addition, underdeveloped countries with insufficient technolog-
ical infrastructure, and an unclear privacy management and data governance
are also delaying blockchain’s adoption (Kim and Kang, 2017). The latter
is translated into a lack of interoperable solutions and reactive behaviours
displayed by regulators, which are always a step behind novel trends and op-
portunities.
The proper use and adoption of blockchain and showcasing its po-
tential is vital. We believe that systems like the one proposed in this paper
reinforce the trust in blockchain and close the gap between the financial sector
and blockchain, not only in the context of digital investigation but as a poten-
tial tool to leverage better services backed with solid regulatory frameworks
supporting them.
38 Lamprini Zarpala, Fran Casino
Despite the aforementioned benefits, blockchain is not a panacea.
There are still many challenges to overcome, such as the issues related with
standardization of the procedures related with digital crime prosecution. The
latter includes cross border investigations, data storage and data sharing poli-
cies, and the management of personal data. Note that the storage of personal
data in a blockchain contradicts the GDPR and the right to be forgotten (Poli-
tou et al., 2018; Politou et al., 2019) due to immutability. Therefore, despite
the unarguable benefits of the immutability property, the capability of sharing
an asset perpetually can be used with malicious ends as already seen in the lit-
erature (Li et al., 2020; Conti et al., 2018; Patsakis et al., 2020). Moreover, this
issue is not only affecting blockchain but also decentralised permanent storage
solutions, due to the lack of effective erasure mechanisms (Casino et al., 2020).
We believe the controlled erasure of data in blockchain, as well as similar sys-
tems, will be a relevant research area in the near future and some authors are
already investigating it (Politou et al., 2019; Radinger-Peer and Kolm, 2020;
Deuber et al., 2019; Xu et al., 2020).
Another relevant flaw of blockchain is its scalability, which varies ac-
cording to the volume of transactions, verifiers/miners, consensus mechanism
and other features. In this regard, it is well-known that private flavours of
blockchain are the most suitable for most of applications, yet their scalability
when the number of users and interactions grow also suffers performance issues
(Dinh et al., 2017; Pongnumkul et al., 2017; Dong et al., 2019; Politou et al.,
2020).
Blockchain Forensics for Embezzlement Investigation 39
In our implementation, we minimise the amount of data stored in the
blockchain by using hashes. Nevertheless, our testing protocol focused on the
underlying functionalities in order to showcase the feasibility of robust digital
investigation and verifiable chain of custody. Therefore, the implementation of
an advanced identity management system and the required policy definitions
to overcome the issues of cross border investigations are not covered in this
paper, and are left for future research.
The key benefit from the managerial perspective of our proposed ar-
chitecture is that it can eliminate operational risk and costs associated with
investigation procedures. In particular, it can accelerate investigations by fa-
cilitating the reconciliation of evidence in a verifiable and auditable manner,
increasing the possibility of identifying perpetrators and reducing fraud man-
agement and recovery costs. It enables senior management to have direct access
to fraud risk exposure, reporting, and monitoring and gain a comprehensive
view of all investigative information improving their decision-making analysis
to impose sanctions and proceed to litigation actions. Moreover, the proposed
architecture can be adopted for the audit trail of regularly planned internal
audits.
Based on the same methodological steps, the auditors can store their
evidence from their audit trails to better monitor their follow-up actions. Thus,
regular internal audits can rip the benefits of this architecture and deliver effi-
cient outcomes to the management. Blockchain adoption might have a double
40 Lamprini Zarpala, Fran Casino
effect on the internal audit department since it can reduce operational costs
associated with the streamlining of auditing and investigative procedures.
6 Conclusions
In this paper, we recall the negative impact of financial crimes on society, fo-
cusing on embezzlement scenarios. We provide a thorough state-of-the-art of
blockchain-based digital forensic approaches, increasing their relevance in such
investigations due to their inherent features. Next, we propose a functional im-
plementation of a forensically sound flow to investigate financial crimes based
on Ethereum, and we test it with a real-world embezzlement use case. The
outcomes showed that our proposal empowers integrity verification, tamper-
proofness, and adaptability towards other fraud and financial crimes.
Despite the benefits of our approach, we leveraged a profound anal-
ysis of the literature, identifying the fundamental challenges for adopting
blockchain and the financial sector and proposing some strategies to overcome
them. Moreover, we discussed further benefits of our approach and how it en-
hances some of the features required for closing the gap between blockchain
and the financial sector.
Among the most important aspects of blockchain integration in fi-
nancial investigations - and internal audits - are the guarantee of invariable
evidence and the streamlining of auditing and investigation procedures. The
Blockchain Forensics for Embezzlement Investigation 41
management of a financial institution may reduce several operational costs
associated with the fraud incident and its investigation. The whole framework
facilitates the interaction of interdisciplinary resources securely and confiden-
tially and provides a comprehensive overview of each organization’s manage-
ment related to monitoring and reporting fraud risk exposure. Future work
will focus on increasing the adaptability of the scheme by enabling other func-
tionalities and the migration to other blockchain systems. Moreover, we aim to
provide a robust identification mechanism to enable secure and private cross-
border investigations.
Acknowledgements This work was supported by the European Commission under the
Horizon 2020 Programme (H2020), as part of the project LOCARD (https://locard.
eu) (Grant Agreement no. 832735) and YAKSHA, (https://project-yaksha.eu/project/)
(Grant Agreement no 780498).
References
Ademu IO, et al. (2011) A new approach of digital forensic model for digital
forensic investigation. Int J Adv Comput Sci Appl 2(12):175–178
AICPA (2020) Cyber criminals are finding ways to steal your digital
dollars. URL https://blog.aicpa.org/2020/05/cyber-criminals-are-
finding-ways-to-steal-your-digital-dollars.html
Al-Khateeb H, et al. (2019) Blockchain for modern digital forensics: The chain-
of-custody as a distributed ledger. In: Advanced Sciences and Technologies
for Security Applications, pp 149–168
42 Lamprini Zarpala, Fran Casino
Ali O, Ally M, Clutterbuck, Dwivedi Y (2020) The state of play of blockchain
technology in the financial services sector: A systematic literature review.
International Journal of Information Management 54:102199
Allen S, et al. (2020) IPFS Release v0.6.0. URL https://github.com/ipfs/
go-ipfs/releases, accessed on 01.07.2020
Antwi-Boasiako A, Venter H (2017) A model for digital evidence admissibility
assessment. In: Peterson G, Shenoi S (eds) Advances in Digital Forensics
XIII, Springer International Publishing, Cham, pp 23–38
Association of Certified Fraud Examiners (2020a) Fraud examiners manual
Association of Certified Fraud Examiners (2020b) Report To the Nations 2020
Global Study on Occupational Fraud and Abuse
Awoyemi JO, Adetunmbi AO, Oluwadare SA (2017) Credit card fraud detec-
tion using machine learning techniques: A comparative analysis. In: 2017
International Conference on Computing Networking and Informatics (IC-
CNI), IEEE, pp 1–9
Baryamureeba V, Tushabe F (2004) The enhanced digital investigation process
model. In: Proceedings of the Fourth Digital Forensic Research Workshop,
pp 1–9
Benet J (2014) Ipfs-content addressed, versioned, p2p file system. arXiv
preprint arXiv:14073561
Biasiotti MA, et al. (2018) Handling and Exchanging Electronic Evidence
Across Europe, vol 39. Springer
Blockchain Forensics for Embezzlement Investigation 43
Billard D (2018) Weighted forensics evidence using blockchain. In: Proceedings
of the 2018 International Conference on Computing and Data Engineering,
ACM, New York, NY, USA, ICCDE 2018, pp 57–61
Billard D, Bartolomei B (2019) Digital Forensics and Privacy-by-Design: Ex-
ample in a Blockchain-Based Dynamic Navigation System
Bologna GJ (1995) Understanding and detecting computer-related embezzle-
ment. Edpacs 23(3):1
Bonomi S, et al. (2020) B-coc: A blockchain-based chain of custody for evi-
dences management in digital forensics. In: OpenAccess Series in Informat-
ics, vol 71
Brotsis S, et al. (2019) Blockchain solutions for forensic evidence preservation
in iot environments. In: 2019 IEEE Conference on Network Softwarization
(NetSoft), pp 110–114
Banarescu A (2015) Detecting and preventing fraud with data analytics. Pro-
cedia Economics and Finance 32:1827–1836
Carrier B, Spafford EH (2003) Getting physical with the investigative process.
International Journal of Digital Evidence
Casino F, et al. (2019) A systematic literature review of blockchain-based
applications: current status, classification and open issues. Telematics and
Informatics 36:55–81
Casino F, et al. (2020) Immutability and decentralized storage: An analysis of
emerging threats. IEEE Access 8:4737–4744
44 Lamprini Zarpala, Fran Casino
Cebe M, et al. (2018) Block4Forensic: An Integrated Lightweight Blockchain
Framework for Forensics Applications of Connected Vehicles. IEEE Com-
munications Magazine 56(10):50–57
Cerullo MJ, Cerullo V (1999a) Using neural networks to predict financial re-
porting fraud: Part 1. Computer Fraud and Security 1999(5):14–17
Cerullo MJ, Cerullo V (1999b) Using neural networks to predict financial
reporting fraud: Part 2. Computer Fraud and Security 1999(6):14–17
Chang V, Baudier P, Zhang H, Xu Q, Zhang J, Arami M (2020) How
blockchain can impact financial services – the overview, challenges and rec-
ommendations from expert interviewees. Technological Forecasting and So-
cial Change 158:120166
Chen H, et al. (2019) A survey on ethereum systems security: Vulnerabilities,
attacks and defenses. arXiv preprint arXiv:190804507
Choi D, Lee K (2018) An artificial intelligence approach to financial fraud
detection under iot environment: A survey and implementation. Security
and Communication Networks 2018
Ciardhuain SO (2004) An extended model of cybercrime investigations. Inter-
national Journal of Digital Evidence 3(1):1–22
Cliff G, Wall-Parker A (2017) Statistical analysis of white-collar crime. In:
Oxford Research Encyclopedia of Criminology and Criminal Justice
Conti M, et al. (2018) A survey on security and privacy issues of bitcoin. IEEE
Communications Surveys & Tutorials 20(4):3416–3452
Blockchain Forensics for Embezzlement Investigation 45
Crosby M, et al. (2016) Blockchain technology: Beyond bitcoin. Applied Inno-
vation 2(6-10):71
Darrell D Dorrell GAG (2012) Financial Forensics Body of Knowledge. John
Wiley & Sons, Inc.
Dasaklis TK, et al. (2020) Sok: Blockchain solutions for forensics. arXiv
preprint arXiv:190804507
De Vel O, Anderson A, Corney M, Mohay G (2001) Mining e-mail content for
author identification forensics. ACM Sigmod Record 30(4):55–64
Delena D Spann (2014) Fraud Analytics : Strategies and Methods for Detection
and Prevention
Deuber D, et al. (2019) Redactable blockchain in the permissionless setting.
In: 2019 IEEE Symposium on Security and Privacy (SP), IEEE, pp 124–138
Dinh TTA, et al. (2017) Blockbench: A framework for analyzing private
blockchains. In: Proceedings of the 2017 ACM International Conference on
Management of Data, pp 1085–1100
Dong Z, et al. (2019) Dagbench: A performance evaluation framework for dag
distributed ledgers. In: 2019 IEEE 12th International Conference on Cloud
Computing (CLOUD), IEEE, pp 264–271
Dunphy P, Petitcolas FAP (2018) A first look at identity management schemes
on the blockchain. IEEE Security Privacy 16(4):20–29
Duy P, et al. (2019) Sdnlog-foren: Ensuring the integrity and tamper resistance
of log files for sdn forensics using blockchain. In: Proceedings - 2019 6th
NAFOSTED Conference on Information and Computer Science, NICS 2019,
46 Lamprini Zarpala, Fran Casino
pp 416–421
European Network of Forensic Science Institutes (2020) Forensic guidelines.
URL http://enfsi.eu/documents/forensic-guidelines/
Ganji D, et al. (2019) Approaches to develop and implement iso/iec 27001
standard-information security management systems: A systematic literature
review. International Journal on Advances in Software Volume 12, Number
3 & 4, 2019
Garfinkel SL (2010) Digital forensics research: The next 10 years. Digital In-
vestigation 7:S64 – S73, the Proceedings of the Tenth Annual DFRWS Con-
ference
Gideon SJ, Kandulna A, Kujur AA, Diana A, Raimond K (2018) Handwritten
signature forgery detection using convolutional neural networks. Procedia
computer science 143:978–987
Gobler M (2010) Digital forensic standards: International progress. In: South
African Information Security Multi-Conference, SAISMC 2010, Port Eliza-
beth, South Africa, May 17-18, 2010. Proceedings, pp 261–271
Goel S, Uzuner O (2016) Do Sentiments Matter in Fraud Detection? Estimat-
ing Semantic Orientation of Annual Reports. Intell Syst Accounting, Financ
Manag 23(3):215–239
Gopalan SH, et al. (2019) Digital forensics using blockchain. International
Journal of Recent Technology and Engineering 8(2 Special Issue 11):182–
184
Gottschalk P, Gottschalk P (2018) Internal Investigation Approaches
Blockchain Forensics for Embezzlement Investigation 47
Green RM, Sheppard JW (2013) Comparing frequency-and style-based fea-
tures for twitter author identification. In: The Twenty-Sixth International
FLAIRS Conference
Gu J, et al. (2018) Consortium blockchain-based malware detection in mobile
devices. IEEE Access 6:12118–12128
Guide AP (2012) Preventing and Detecting Employee Theft and Embezzle-
ment. DOI 10.1002/9781119205135
Gullkvist B, Jokipii A (2013) Perceived importance of red flags across fraud
types. Critical Perspectives on Accounting 24(1):44–61
Guo H, Meamari E, Shen CC (2019a) Multi-authority attribute-based access
control with smart contract. In: Proceedings of the 2019 International Con-
ference on Blockchain Technology, pp 6–11
Guo R, Shi H, Zheng D, Jing C, Zhuang C, Wang Z (2019b) Flexible and
efficient blockchain-based abe scheme with multi-authority for medical on
demand in telemedicine system. IEEE Access 7:88012–88025
Guo Y, Liang C (2016) Blockchain application and outlook in the banking
industry. Financial Innovation 2(1):24
Homayoun S, et al. (2019) A Blockchain-based Framework for Detecting Ma-
licious Mobile Applications in App Stores. arXiv preprint arXiv:190604951
Hossain MM, et al. (2018) Probe-IoT: A public digital ledger based forensic
investigation framework for IoT. In: INFOCOM Workshops, pp 1–2
Huang K, et al. (2018) Systematically understanding the cyber attack business:
A survey. ACM Computing Surveys (CSUR) 51(4):1–36
48 Lamprini Zarpala, Fran Casino
International Organization for Standardization (2012) Guidelines for identi-
fication, collection, acquisition and preservation of digital evidence. URL
https://www.iso.org/standard/44381.html
International Organization for Standardization (2015) Guidelines for the anal-
ysis and interpretation of digital evidence. URL https://www.iso.org/
standard/44406.html
International Organization for Standardization (2016) Guidelines to plan
and prepare for incident response. URL https://www.iso.org/standard/
62071.html
INTERPOL (2019) Global guidelines for digital forensics laboratories. Tech.
rep., Global Complex for Innovation
ISO (2015) ISO/IEC 27043:2015 Information technology, Security techniques,
Incident investigation principles and processes. Tech. Rep. 1, ISO, Central
Secretariat
Jacobovitz O (2016) Blockchain for identity management. The Lynne and
William Frankel Center for Computer Science Department of Computer
Science Ben-Gurion University, Beer Sheva
Joshi P, et al. (2019) A blockchain based framework for fraud detection. In:
2019 Conference on Next Generation Computing Applications (NextComp),
pp 1–5
Kent K, et al. (2006) Sp 800-86. guide to integrating forensic techniques into
incident response
Blockchain Forensics for Embezzlement Investigation 49
Kerr M, et al. (2018) A blockchain implementation for the cataloguing of cctv
video evidence. In: 2018 15th IEEE International Conference on Advanced
Video and Signal Based Surveillance (AVSS), pp 1–6
Kevin D, David B (2019) HACIT2: A privacy preserving, region based and
blockchain application for dynamic navigation and forensics in VANET
Kim K, Kang T (2017) Does technology against corruption always lead to
benefit? The Potential Risks and Challenges of the Blockchain Technology
pp 12–15
Kobayashi H, Mark BL, Turin W (2011) Probability, random processes,
and statistical analysis: applications to communications, signal processing,
queueing theory and mathematical finance. Cambridge University Press
Kotsiuba I, et al. (2018) Blockchain evolution: from bitcoin to forensic in smart
grids. In: 2018 IEEE International Conference on Big Data (Big Data),
IEEE, pp 3100–3106
Kruse WG, Heiser JG (2001) Computer forensics: incident response essentials.
Pearson Education
Kuo TT, et al. (2017) Blockchain distributed ledger technologies for biomedical
and health care applications. Journal of the American Medical Informatics
Association 24(6):1211–1220
Kyei K, et al. (2013) A review and comparative study of digital forensic inves-
tigation models. In: Rogers M, Seigfried-Spellar KC (eds) Digital Forensics
and Cyber Crime, Springer Berlin Heidelberg, Berlin, Heidelberg, pp 314–
327
50 Lamprini Zarpala, Fran Casino
Le DP, et al. (2018) Biff: a blockchain-based iot forensics framework with iden-
tity privacy. In: TENCON 2018-2018 IEEE Region 10 Conference, IEEE, pp
2372–2377
Leite RA, Gschwandtner T, Miksch S, Gstrein E, Kuntner J (2018) Visual an-
alytics for event detection: Focusing on fraud. Visual Informatics 2(4):198–
212
Li S, et al. (2019) Blockchain-based digital forensics investigation framework
in the internet of things and social systems. IEEE Transactions on Compu-
tational Social Systems 6(6):1433–1441
Li X, et al. (2020) A survey on the security of blockchain systems. Future
Generation Computer Systems 107:841–853
Lone AH, Mir RN (2019) Forensic-chain: Blockchain based digital forensics
chain of custody with PoC in Hyperledger Composer. Digital Investigation
28:44–55
Lyastani SG, Schilling M, Neumayr M, Backes M, Bugiel S (2020) Is fido2
the kingslayer of user authentication? a comparative usability study of fido2
passwordless authentication. In: 2020 IEEE Symposium on Security and
Privacy (SP), IEEE, pp 268–285
Malamas V, Kotzanikolaou P, Dasaklis TK, Burmester M (2020) A hierarchi-
cal multi blockchain for fine grained access to medical data. IEEE Access
8:134393–134412
Malamas V, et al. (2019) A Forensics-by-Design Management Framework for
Medical Devices Based on Blockchain. In: 2019 IEEE World Congress on
Blockchain Forensics for Embezzlement Investigation 51
Services (SERVICES), IEEE, vol 2642, pp 35–40
Manning GA (2011) Financial Investigation and Forensic Accounting. DOI
10.1017/CBO9781107415324.004, arXiv:1011.1669v3
Markowitz DM, Hancock JT (2014) Linguistic traces of a scientific fraud: The
case of diederik stapel. PloS one 9(8):e105937
Molloy I, Chari S, Finkler U, Wiggerman M, Jonker C, Habeck T, Park Y,
Jordens F, van Schaik R (2017) Graph analytics for real-time scoring of
cross-channel transactional fraud. In: Grossklags J, Preneel B (eds) Finan-
cial Cryptography and Data Security, Springer Berlin Heidelberg, Berlin,
Heidelberg, pp 22–40
Morii M, Tanioka H, Ohira K, Sano M, Seki Y, Matsuura K, Ueta T (2017)
Research on integrated authentication using passwordless authentication
method. In: 2017 IEEE 41st Annual Computer Software and Applications
Conference (COMPSAC), IEEE, vol 1, pp 682–685
Nakamoto S (2008) Bitcoin: A peer-to-peer electronic cash system
Naydenov R, Theocharidou M (2021) Eu cybersecurity initiatives in the
finance sector. Tech. rep., ENISA, URL https://www.enisa.europa.
eu/publications/EU_Cybersecurity_Initiatives_in_the_Finance_
Sector
Ngai EW, Hu Y, Wong YH, Chen Y, Sun X (2011) The application of data
mining techniques in financial fraud detection: A classification framework
and an academic review of literature. Decis Support Syst 50(3):559–569
52 Lamprini Zarpala, Fran Casino
Omair B, Alturki A (2020) A systematic literature review of fraud detection
metrics in business processes. IEEE Access 8:26893–26903
Palmer G, et al. (2001) A road map for digital forensic research. In: First
digital forensic research workshop, utica, new york, pp 27–30
Patsakis C, et al. (2019) External Monitoring Changes in Vehicle Hardware
Profiles: Enhancing Automotive Cyber-Security. Journal of Hardware and
Systems Security pp 1–15
Patsakis C, et al. (2020) Unravelling ariadne’s thread: Exploring the threats
of decentralised dns. IEEE Access p to appear
Peters GW, Panayi E (2016) Understanding modern banking ledgers through
blockchain technologies: Future of transaction processing and smart con-
tracts on the internet of money. In: Banking beyond banks and money,
Springer, pp 239–278
Politou E, et al. (2018) Forgetting personal data and revoking consent un-
der the gdpr: Challenges and proposed solutions. Journal of Cybersecurity
4(1):tyy001
Politou E, et al. (2019) Blockchain mutability: Challenges and proposed solu-
tions. IEEE Transactions on Emerging Topics in Computing pp 1–1
Politou E, et al. (2020) Delegated content erasure in ipfs. Future Generation
Computer Systems 112:956 – 964
Pongnumkul S, et al. (2017) Performance analysis of private blockchain plat-
forms in varying workloads. In: 2017 26th International Conference on Com-
puter Communication and Networks (ICCCN), IEEE, pp 1–6
Blockchain Forensics for Embezzlement Investigation 53
Pourhabibi T, Ong KL, Kam BH, Boo YL (2020) Fraud detection: A system-
atic literature review of graph-based anomaly detection approaches. Decision
Support Systems 133:113303
Pourvahab M, Ekbatanifard G (2019) Digital forensics architecture for ev-
idence collection and provenance preservation in iaas cloud environment
using sdn and blockchain technology. IEEE Access 7:153349–153364
Radinger-Peer W, Kolm B (2020) A blockchain-driven approach to fulfill the
gdpr recording requirements. In: Blockchain and Distributed Ledger Tech-
nology Use Cases, Springer, pp 133–148
Rane S, Dixit A (2019) BlockSLaaS: Blockchain assisted secure logging-as-a-
service for cloud forensics
Reith M, et al. (2002) An examination of digital forensic models. International
Journal of Digital Evidence 1(3):1–12
Ricci J, et al. (2019) Blockchain-Based Distributed Cloud Storage Digital
Forensics: Where’s the Beef? IEEE Security and Privacy 17(1):34–42
Ryu JH, et al. (2019) A blockchain-based decentralized efficient investigation
framework for IoT digital forensics. Journal of Supercomputing 75(8):4372–
4387
Sadgali I, Sael N, Benabbou F (2019) Performance of machine learning
techniques in the detection of financial frauds. Procedia computer science
148:45–54
Samanta P, Jain S (2018) E-Witness: Preserve and Prove Forensic Sound-
ness of Digital Evidence. In: Proceedings of the 24th Annual International
54 Lamprini Zarpala, Fran Casino
Conference on Mobile Computing and Networking, ACM, pp 832–834
ShenTu Q, Yu J (2015) Research on anonymization and de-anonymization in
the bitcoin system. arXiv preprint arXiv:151007782
Singleton T, Singleton A (2010) Fraud Auditing and Forensic Accounting
Tian Z, et al. (2019) Block-DEF: A secure digital evidence framework using
blockchain. Information Sciences 491:151–165
Weilbach WT, Motara YM (2019) Distributed Ledger Technology to Support
Digital Evidence Integrity Verification Processes
Wilson-Wilde L (2018) The international development of forensic science stan-
dards — a review. Forensic Science International 288:1 – 9
Wolverton R, Lee J (2019) Blockchain Versus Financial Statement Fraud.
Tech. rep., AICPA
Xiao Y, et al. (2020) A survey of distributed consensus protocols for blockchain
networks. IEEE Communications Surveys & Tutorials
Xiong Y, Du J (2019) Electronic evidence preservation model based on
blockchain. In: Proceedings of the 3rd International Conference on Cryp-
tography, Security and Privacy, ACM, pp 1–5
Xu J, et al. (2020) An identity management and authentication scheme based
on redactable blockchain for mobile networks. IEEE Transactions on Vehic-
ular Technology 69(6):6688–6698
Xu M, et al. (2019) A systematic review of blockchain. Financial Innovation
5(1):27
Blockchain Forensics for Embezzlement Investigation 55
Yoo KH, Gretzel U (2009) Comparison of deceptive and truthful travel reviews.
In: Information and communication technologies in tourism 2009, Springer,
pp 37–47
Zhang Y, et al. (2018) A blockchain-based process provenance for cloud foren-
sics. In: 2017 3rd IEEE International Conference on Computer and Com-
munications (ICCC), IEEE, pp 2470–2473
Zheng Z, et al. (2018) Blockchain challenges and opportunities: A survey. In-
ternational Journal of Web and Grid Services 14(4):352–375
Zhu X, Badr Y (2018) Identity management systems for the internet of things:
A survey towards blockchain solutions. Sensors 18(12)
Zou R, et al. (2019) Blockchain-based photo forensics with permissible trans-
formations. Computers and Security 87
Ølnes S, et al. (2017) Blockchain in government: Benefits and implications of
distributed ledger technology for information sharing. Government Informa-
tion Quarterly 34(3):355 – 364